Trojan Android OS Hesperbot

Figure 1: Android launcher menu, presenting the installed Hesperbot under the name “Activation”.

Android malware is evolving at an alarming rate and becoming more aggressive and resilient in nature. This shift shows attempts to target bank accounts, messages and other personal information. It seems that cyber criminals are no longer satisfied with what they steal from their victims. Now, they try to inflict damage by other means; the latest case shows a sophisticated banking malware that tries to deny all access to the victim’s smartphone using crafty software means.

Back in April of 2014, our malware analysts came across a particularly dangerous variant of the Trojan.AndroidOS.Hesperbot (see Figure 1 to view the launcher icon) that, besides stealing personal banking data and personal messages, managed to lock the user completely out of his/her smartphone. The creators of this type of malware used various methods of social engineering, like fear tactics and phishing to trick the user into installing their “very secure certificate”. Before the smartphone is infected, the victim’s PC has to also be infected with an online banking Trojan. This is where the desktop version of Hesperbot (Trojan.Win32.Hesperbot) comes into play. This malware is sent through a phishing mail or downloaded while surfing suspicious websites. If the victim connects to their online bank account, a message gets injected into the website’s data stream and it tricks the user to install the android app. After the installation, an activation code is generated (see Figure 2) and also verified on the modified website. At this point, the attacker is aware that someone has fallen for the trick and can start to collect money from the victim’s bank account.

Figure 2: Hesperbot requesting activation code from the user.

Shockingly, it does not end here. The mobile app asks the user now for “Device Administrator” rights, a tool mostly used by MDM Systems and corporate applications. If this permission is granted, the malicious app can prevent itself from being uninstalled. The attacker specifically designed the approval dialog in a way that makes it impossible for the user not to activate the app. The dialog will pop-up again and again and will make the device completely unusable, unless the user selects “Activate” (see Figure 3).

Figure 3: Attempt to unlock the infected smartphone.

The locking of the smartphone only occurs when the user tries to uninstall the “certificate” App and the malware detects this. Once the malware has administrator rights, Android’s built in password protected lock screen activates and locks the smartphone using a password generated by the malware. The generated code is of course unknown to the user. This way all the data that is present on the smartphone will be locked away from the user, rendering the smartphone useless. (See Figure 4.)

Figure 4: Hesperbot requesting administrator rights.

Here at IKARUS Security Software GmbH our talented analysis team found a way to unlock smartphones that were infected by Hesperbot and remove the malware, without causing data loss. Since sensitive data on the smartphone cannot be accessed by normal means and the data that we needed was only available to the malware that was sitting on the smartphone, our team had to hack the smartphone and override the installed malware to make it reveal its code for us.

After the code was found (see Figure 5), our team used the malware’s own malicious code to generate the password that finally unlocked the infected smartphone. At this point removing the malware (that now became harmless) was a routine task (see Figure 6).

Figure 5: Tricking the malware into giving away its code.

Additionally we uncovered 10,000 activation keys and uninstall codes (see download file below), that could be used to uninstall the virus from the infected smartphones. This can only be done when the response code or activation code is known or when the virus's internal database can be read.

We at IKARUS suggest the use of mobile anti-virus to protect your handheld device from viruses like Hesperbot. Our very own IKARUS mobile.security App is capable of doing just that and even more. Check out IKARUS mobile.security in Google Play and make a step towards a more secure Android smartphone.